Dynamic Event Trees without Success Criteria. Application to Full Spectrum LOCA sequences. Calculation of Damage Exceedance Frequency with Integrated Safety Assessment (ISA) Methodology
ABSTRACT The Integrated Safety Assessment (ISA) methodology, developed by the Spanish Nuclear Safety Council (CSN), has been applied to obtain the Dynamic Event Trees (DETs) for Full Spectrum Loss of Coolant Accidents (LOCAs) of a Westinghouse 3-loop PWR plant. The purpose of this ISA application is to obtain the Damage Exceedance Frequency (DEF) for the LOCA Event Tree by taking into account the uncertainties in the break area and the operator actuation time needed to cool down and depressurize reactor coolant system by means of steam generators. Simulations are performed with SCAIS, a software tool which includes a dynamic coupling with MAAP thermal hydraulic code. The results show the capability of the ISA methodology to obtain the DEF taking into account the time uncertainty in human actions.
- SourceAvailable from: Jesús Gil[Show abstract] [Hide abstract]
ABSTRACT: Over the past years, many Nuclear Power Plant organizations have performed Probabilistic Safety Assessments to identify and understand key plant vulnerabilities. As part of enhancing the PSA quality, the Human Reliability Analysis is essential to make a realistic evaluation of safety and about the potential facility's weaknesses. Moreover, it has to be noted that HRA continues to be a large source of uncertainty in the PSAs. Within their current joint collaborative activities, Indizen, Universidad Politécnica de Madrid and Consejo de Seguridad Nuclear have developed the so-called SIMulator of PROCedures (SIMPROC), a tool aiming at simulate events related with human actions and able to interact with a plant simulation model. The tool helps the analyst to quantify the importance of human actions in the final plant state. Among others, the main goal of SIMPROC is to check the Emergency Operating Procedures being used by operating crew in order to lead the plant to a safe shutdown plant state. Currently SIMPROC is coupled with the SCAIS software package (Izquierdo et al., 2008), but the tool is flexible enough to be linked to other plant simulation codes.SIMPROC–SCAIS applications are shown in the present article to illustrate the tool performance. The applications were developed in the framework of the Nuclear Energy Agency project on Safety Margin Assessment and Applications (SM2A).First an introductory example was performed to obtain the damage domain boundary of a selected sequence from a SBLOCA. Secondly, the damage domain area of a selected sequence from a loss of Component Cooling Water with a subsequent seal LOCA was calculated. SIMPROC simulates the corresponding human actions in both cases.The results achieved shown how the system can be adapted to a wide range of purposes such as Dynamic Event Tree delineation, Emergency Operating Procedures and damage domain search.Nuclear Engineering and Design. 01/2011;
- [Show abstract] [Hide abstract]
ABSTRACT: Binary decision diagrams (BDDs) are a well-known alternative to the minimal cutsets (MCS) approach to assess Boolean reliability models. While the application of fault tree analysis can be considered to be consolidated, its application to the event trees involved in the probabilistic safety assessment (PSA) studies of the nuclear industry require extended efforts. For many real PSA models the full conversion procedure remains out of reach in terms of computational resources owing to their size, non-coherency, redundancy, and complexity. A potential solution to improve the quality of assessment methods is to design hybrid algorithms that combine the information derived from the calculation of MCS with the BDD methodology.Proceedings of the Institution of Mechanical Engineers Part O Journal of Risk and Reliability 01/2009; 223(4):301-311. · 0.62 Impact Factor
- [Show abstract] [Hide abstract]
ABSTRACT: The Integrated Safety Assessment (ISA) methodology, developed by the Consejo de Seguridad Nuclear (CSN), Spanish Nuclear Regulatory Body, has been applied to a thermo-hydraulic analysis of Zion NPP for sequences with loss of the Component Cooling Water System (CCWS). The ISA methodology allows obtaining the damage domain (the region where the PCT limit is exceeded) for each sequence of the dynamic event tree as a function of the operator actuations times (secondary side cooling and recovery of CCWS) and the time of occurrence of stochastic phenomena (seal LOCA), and computing from it the exceedance frequency by integrating the dynamic reliability equations proposed by ISA 12 . For every sequence, several data are necessary in order to obtain its contribution to the global exceedance damage frequency. These data consist of the results of the simulations performed with MAAP and TRACE codes that are inside of the damage domain and the time-density probability distributions of the manual actions and the time of seal LOCA occurrence. Reported results show an slight increment of the exceedance damage frequency for this kind of sequences in a power uprate from 100% to 110%.OECD/CSNI Workshop on Best Estimate Methods and Uncertainty Evaluations; 11/2011
Dynamic Event Trees without Success Criteria.
Application to Full Spectrum LOCA sequences.
Calculation of Damage Exceedance Frequency with Integrated Safety
Assessment (ISA) Methodology.
J. Gil , J. J. Gómez-Magan, I. Fernández, H. Marrao,
Indizen Technologies S.L., Madrid, Spain
C. Queral, J. González-Cadelo, J. Montero-Mayorga, Julio Rivas, C. Ibañez-Llano,
Universidad Politécnica de Madrid (UPM), Madrid, Spain
J. M. Izquierdo, M. Sánchez-Perea, E. Meléndez and J. Hortal
Consejo de Seguridad Nuclear (CSN), Madrid, Spain
Abstract: The Integrated Safety Assessment (ISA) methodology, developed by the Spanish Nuclear
Safety Council (CSN), has been applied to obtain the Dynamic Event Trees (DETs) for Full Spectrum
Loss of Coolant Accidents (LOCAs) of a Westinghouse 3-loop PWR plant. The purpose of this ISA
application is to obtain the Damage Exceedance Frequency (DEF) for the LOCA Event Tree by taking
into account the uncertainties in the break area and the operator actuation time needed to cool down
and depressurize reactor coolant system by means of steam generators. Simulations are performed
with SCAIS, a software tool which includes a dynamic coupling with MAAP thermal hydraulic code.
The results show the capability of the ISA methodology to obtain the DEF taking into account the time
uncertainty in human actions.
Keywords: Integrated Safety Assessment, Dynamic Event Trees, Loss of Coolant Accidents, Damage
As part of the collaboration between Universidad Politécnica de Madrid (UPM), Indizen Technologies
and the Spanish Nuclear Safety Council (CSN), an analysis of Full Spectrum Loss of Coolant
Accidents (LOCAs) in Cold Leg sequences in a PWR Westinghouse design has been performed with
SCAIS (Simulation Code for Integrated Safety Analysis) . The objective of the analysis has been
the application of the Integrated Safety Assessment (ISA) methodology in order to obtain the
quantification of the Damage Exceedance Frequency (DEF) of the LOCA event tree.
The ISA methodology has been developed by the Modeling and Simulation (MOSI) branch of CSN,
and is suited to compute uncertainties for those sequences whith events at uncertain times (time delay
of operator response and other stochastic events) along with usual parametric uncertainties. The
numerical result of this methodology consists of the DEF for the sequences stemmed from an initiating
event. This is done along with the delineation of the Dynamic Event Tree (DET) and the identification
of the Damage Domain (DD) of the sequences that contribute to the total DEF , . The DD is
defined as the region of the space of uncertain parameters of interest that results in damage. The UPM
group has applied extensively this methodology in several projects; for more details see, , , .
ISA methodology introduces some differences with respect the classical Probabilistic Safety Analysis
➢ In PSA there is a header for each system including the success criteria of that system (2
➢ In the ISA context, however, event tree headers can represent hardware states (system trains
working or not) or operator actions. Therefore, headers can incorporate several branches, one
for each system configuration.
➢ In PSA a human action is failed if it is not performed within a pre-specified time interval
(available time). An action delayed beyond the available time is treated as a non-performed
➢ In ISA methodology, human actions are events occurring at uncertain times. A delayed action
is still a performed action even if it is not able to avoid a damage condition (limit
exceedance). As a consequence, a PSA success sequence, when analysed in the ISA context,
may contain a non-empty DD resulting from excessive delays of protective actions.
Figure 1. Stocastic headers.
➢ In PSA there are two end states for a sequece, damage or success with two possible
probability values: 0 / 1.
➢ In ISA methodology the end state has an associated probability: damage with probability Pd
and success with probability Ps ( Pd + Ps = 1).
Figure 2. Damage and success probabilities for a sequence. ( Pd + Ps = 1).
➢ In PSA the system failure probabilities do not depend on the dynamics of the sequence.
➢ In ISA methodology the failure rate could depend on process variables (i.e. temperature or
humidity conditions in the proximity of a pump). The general mathematical framework of
ISA equations for the damage frequency is the Theory of Stimulated Dynamics (TSD) .
These equations are simplified if the failure rates do not depend on the process variables, as
it is the case in this analysis.
Application of ISA methodology can be split into the following blocks (the general block-diagram is
shown in Figure 3, see also  for more details):
Block A, the sequence generation module performing the simulation of DETs. This will
provide the candidate sequences with non-trivial DD (success or damage for all conditions) that
will be analyzed in detail in the Path Analysis module (Block B).
Block B, the paths analysis module that is repeatedly simulated with different values of
uncertain parameters and/or time delays (human actions or stochastic phenomena) of each
sequence of interest obtained in block A. Each such simulation, called a path, can end either in
a success or damage state. The region of parameter and/or time delays values that leads to
damage paths is the DD of the sequence.
Block C, the probability and delay times quantification module that provides the necessary
information to calculate in Block D (Risk Assessment) the probabilities and the contribution to
DEF of each sequence of interest.
Block D, the risk assessment module that calculates the DEF by integrating the TSD equations
on the DD region identified in block A.
Figure 3. ISA methodology general diagram.
Apart from a theoretical approach, the basis of the method, application of ISA requires a set of
computational tools. A suitable software package called SCAIS (Simulation Code System for ISA)
implements the above referred method , . Current SCAIS development includes as main elements
(see Figure 4):
•General Simulation Driver (BABIECA), that solves step by step topologies of block diagrams.
• Event Scheduler (DENDROS), that drives the dynamic simulation of the different incidental
sequences. Its design guarantees modularity of the overall system and the parallelization of the
event tree generation.
Plant Models, allowing simulation of nuclear accident sequences. This includes codes for
simulation of thermal hydraulics and severe accident phenomenology, as well as codes for
simulation of operating procedures and severe accident management guidelines . Codes as
MELCOR, MAAP, RELAP, TRACE can adapted to perform tree simulations under control of
the scheduler. At present MAAP4  is coupled to SCAIS to build up a distributed plant
• Path Analysis Module, which repeatedly simulates each sequence of interest with different
values of uncertain parameters and/or time delays (human actions or stochastic phenomena).
• Probability Calculator, which performs the Boolean product of the Fault Trees corresponding to
each system that intervene in the sequence, and additionally computing its probability.
• Risk Assessment Module, which calculates the DEF by integrating TSD equations on the DD
1 Currently, a coupling to TRACE similar to the case of MAAP is being developed by Indizen in collaboration
Figure 4. SCAIS component schema.
2. SEQUENCES GENERATION MODULE. DYNAMIC EVENT TREE SIMULATION
The objective of Block A of the ISA methodology is to simulate the DET stemming from an initiating
event. At present, the simulations of DET performed by coupling MAAP and Dendros are performed in
an automatic way.
2.1. Application to LOCA Sequences.
In a first step, several cold leg LOCA event trees (small, medium and large) corresponding to PSA
studies of similar nuclear power plants (Westinghouse design) have been analyzed in order to build a
Generic LOCA Event Tree, see Figure 5. From the results of this analysis it has been concluded that the
following sequence headers must be considered:
Figure 5. Generic Event Tree for LOCA sequences.
Table 1. Headers of generic LOCA event tree.
High Pressure Safety Injection -->HPSI
Cooling, rate of 55 Kelvin/hour, and depressurization trough secondary side -->S
Accumulator Safety Injection --> A
Low Pressure Safety Injection --> L (which includes the recirculation phase)
The analysis has considered the following hypothesis for the simulation of sequences:
ii. Manual trip of Reactor Coolant Pumps (RCPs) when HPSI is available and,
iii. Manual control of Auxiliary Feed Water System (following the instructions of Emergency
Operating Procedures (EOPs) for LOCA accident E-0, E-1, ES-1.2, see Figure 6).
Reactor scram coincident with LOCA event,
Figure 6. EOPs related with LOCA sequences.
A set of DETs have been obtained (1”, 2”, 3”, 4”, 5”, 6”, 7”, 8”, 11” and DEGB) taking into account all
the availability configurations of HPSI (0-1-2/2 HPSI) and ACCUM headers (0-1-2-3/3 ACCUM); only
the classical hypothesis of availability has been included in LPSI header (0-1/2) in order to reduce the
number of DET sequences.
Unfolding DET, simulations do not consider time delays (in this case S header occurs at t = 900 s or
never). Uncertain delay times are taken into account in Block B (Path Analysis) in order to obtain the
DDs, which is described later.
An example of the DETs and results for some variables obtained with MAAP-SCAIS coupled are
shown in Figures 7 and 8. DETs also provides the branching time for the headers. For example, the
results obtained for the 5 inch DET are shown in Table 2. In this table the bracketed time values, [t0],
indicate that the header has been demanded at time t0 but it is on a failed configuration (0/n).
Figure 7. DETs simulation LOCA(5 and 8 inches).
Figure 8. Pressure RCS and PCT for every sequence of the DET (5 inches).
(only 3-ACCUM results are shown in order to simplify the figures)
Table 2. Sequence information obtained from DET (5 inch).
DETs are grouped depending on the break size as is shown in Figure 9.
Figure 9. DETs grouped by break size.
The grouped sequences have different Success Criteria depending on the break size as is shown in
Figure 10. This result is one of the main objectives of this analysis, depicting the evolution of the
success criteria of different sequences as a function of the break size.
Figure 10. Success Criteria. LOCA sequences ,1 inch to DBEG.
(Cold Leg, RCP trip with EOPs conditions)
Next section details the time uncertainty in S(t) header, refered as Path Analysis.
3. PATH ANALYSIS MODULE
The Path Analysis Module (Block B) receives the sequence and parameter information of all branches
of DET from the Sequence Generation Module (Block A) and determines the DD of the candidate
sequences, by considering different values for the uncertain times considered in the analysis and
simulating any of this possible transient (path). At present, the simulations performed by coupling
MAAP and SCAIS-PATH_ANALYSIS module are performed in an automatic way.
Headers that may occur at uncertain times (mainly operator actions but also events with stochastic
phenomenology) are defined as Non Deterministic Headers (NDH). In order to take into account this
uncertainty, a sampling time is performed between the minimum time when the header event becomes
possible and a maximum time (or the mission time, 24 hours) for each NDH, see Figure 11. If there
are several non-deterministic headers and/or uncertain parameters, a multidimensional time/parameter
sampling will be needed. Each sample gives rise to a path belonging to the sequence and the set of
paths leading to a damage condition (i.e., exceedance limit) depicts the DD of the sequence.
Figure 11. Path Analysis in a sequence with two NDH (headers A and B).
3.1 Application to Full Spectrum LOCA sequences.
Sequences analysis (Block A) has shown that the success criterion depends on the number of available
accumulators and also on the S header. Therefore, it is necessary to consider four branches for the A
header (0-1-2-3 of 3 ACCUM), in a similar way to the Expanded Event Trees which are used in the
AP1000 PSA . Also it is necessary to take into account the time uncertainty in the S(t) header and
considering the failure status of S header due to the failure of mechanical components which may
prevent the success of the human action.
Figure 12. Opeartor action (POE Es-1.2). Time uncertainty.
All these considerations lead to a new event tree which includes the time uncertainties and all possible
configurations of the system named Generic Event Tree with Uncertainty (GETU), which is presented
in Figure 13. The LOCA GETU shows that:
ii. nine sequences which always have a final damage state (U1-3-5-7-9-11-13-15-17) and,
iii. eight sequences in which the final state is not always success or damage (U2-4-6-8-10-12-14-
16), identified in GETU as sequences with DD. For those sequences, it is necessary to obtain
the DD, i.e. the time/parameter region where the paths reach the damage condition.
one sequence which always has a final success state (U0),
Finally, it must be taken into account that the DDs from U10, U12, U14 and U16 are included in the
DDs from U2, U4, U6 and U8 respectively, because they correspond to the case in which the human
action is performed at t=∞. So, it is only necessary to obtain four DD (corresponding to U2, U4, U6 and
U8 sequences). These four DD are analyzed in next step.
Figure 13. GETU for LOCA sequences.
The calculation process performed for each DD is the following:
1. For each break size and acumulators configuration, a set of paths are simulated with different
time delays for the start of secondary side cooling and depressurization, S(t). See figure 14 for
2. The results are represented with different type of points, see Figure 15: green markers
represent success paths, while red ones represent damage paths with ACCUM demanded and,
grey ones represent damage paths without ACCUM demanded. Finally, the points (di , t0,i),
corresponding to time t0,i and break diameter di, where a damage condition is reached without
depressurization trace the line of Previous Damage (dotted red line). Obviously, starting
depressurization later than t0,i does not avoid damage.
3. With these results, it is possible to obtain the DD by connecting the first depressurization time
that leads to damage for each break size, red line in Figure 15. It can be noted that there are
damage paths with accumulator demand and others without it. This difference must be taken
into account to calculate probabilities or frequencies.
Figure 14. RCS Pressure and Peak Cladding Temperature in Path Analysis LOCA 1”.
(Sequence h - S(t) - (0/3A) – L)
Figure 15. Damage Domains, 0/1/2/3 ACCs available. h-S(t)-(n/3)A-L sequences.
With these results and the previous ones obtained in Block A it is possible to obtain the DD and
success criteria of every Ui sequence from GETU:
U0≡S1, which depends on the break diameter (d), is 1/2H-1/2L for d<7” and 1/2L for d≥7”,
U2, U4, U6 and U8 are the two-dimensional regions showed in Figure 16, which includes the
time uncertainty dependence of S header and break size.
U10, U12, U14 and U16 correspond to the one-dimensional regions (horizontal lines with
arrows) showed in Figure 15.
Therefore it has been possible to obtain the Success Criteria functions for all the sequences of the
GETU. Next section details the process of obtaining the Damage Exceedance Frequency (Block D) of
the GETU from these DD.
4.PROBABILITY CALCULATION AND RISK ASSESSMENT
The DEF is obtained by integrating the equations of the Theory of Stimulated Dynamics (TSD) inside
the DD of each sequence , . This integration module constitutes the Risk Assessment module
(Block D). The equations of the TSD evaluate the frequency density of each path of a sequence and
need several probabilistic data that can be obtained from pre-existing PSA’s and stochastic phenomena
models (Block C). In the application of the TSD the concept of “stimulus” of a dynamic event header is
defined as a condition that enables the event. In the simple case of a protective action the stimulus is the
demand of that action. In the TSD equations, the stimuli of all the dynamic events are assumed
deterministic, i.e., they can be directly derived from the simulation results. In addition, the probability
distributions of NDH do not show mutual dependencies and they do not depend on physical variables
either. In other words, these probability distributions are known functions of the delay from the
activation of the stimulus to the actual occurrence of the event.
4.1 Application to the sequences of LOCA event tree.
The data needed are the frequency of the initiating event (LOCA), the configuration probabilities of the
headers (H, S, A, L), the distributions of the break size and the delays of NDH (see Table 3) These
have been obtained by means of Binary Decision Diagrams using real PSA data.
Table 3. Initiator frequency and headers probabilities.
IniciatorUncertanty Frecuency (y -1 ) PDF
LOCA Parametric1.15E-3 Piecewise
Type of header Configuration probability PDF
(0-1/2)HDeterministic (1.730E-4) - (5.4E-2) ---
P. mechanical failure = (1 - 4.0E-3)
(5.0E-3) – (7.6E-2) – (0,426) – (0,493)
(0-1/2)LDeterministic (7.0E-4) – (2.81E-2)---
Figure 16. PDFs for break size and manual cooldown.
The DEF of every sequence is obtained integrating the product of PDFs inside the DDs and taking into
account the configuration probabilities of all headers. The results obtained for every sequence of the
event tree are shown in Table 4, where blue color data correspond to the sequences in which the
frequencies and probabilities have been obtained integrating the product of PDFs inside the DD.
This result shows that a sequence is not necessarily a success or damage sequence but may be a
sequence with a probability of success and a probability of damage (sequences in blue color, Table 4).
Table 4. DEF of LOCA event tree.
Cold Leg RCP trip with EOPs
1.15E-3 8.27E-6 0.007
This paper shows an application of the ISA methodology for the analysis of Full Spectrum LOCA
sequences using SCAIS coupled with MAAP code. In general, the results have shown the capability
and necessity of an ISA-like methodology in order to properly account for uncertainties in the time
delay of operator response and other stochastic events along with usual parametric uncertainties in the
evaluation of the safety in a NPP.
In PSA each sequence has a well-defined final state, success or damage. However, this analysis has
pointed out that it is possible to have for the same sequence a damage probability and a success
probability, illustrating the importance of Path Analysis and Risk Assessment.
 Gil, J. et al. “A code for simulation of human failure events in nuclear power plants: SIMPROC.”,
Nuclear Engineering and Design. Nº 241, 1097–1107 (2011).
 C. Queral, et al. “Application of a Dynamic Event Tree Methodology to SGTR Sequences”, Proc.
Int. Conf. The 9thInternational Topical Meeting on Nuclear Thermal-Hydraulics, Operation and
Safety (NUTHOS-9), Kaohsiung, Taiwan, September 9-13 (2012).
 Gómez-Magán, J.J. et al. “Calculation of Damage Frequencies without Criteria Hypothesis
Application to LOCA Sequences.”, Proceeding Probabilistic Safety Assessment (PSAM-11).
Helsinki, Finland, June 25-29, (2012).
 NEA/CSNI/2011(3). “Safety Margen Assessment and Application. Final Report.”
 Queral, C et al. “Application of the Integrated Safety Assessment Methodology to Sequences with
Loss of Component Cooling Water System.”, Proceeding OECD/CSNI Workshop on Best Estimate
Methods and Uncertainty Evaluations. Barcelona, Spain, November 16-18, (2011).
 Hortal, F.J., et al “Application of the Damage Domain approach to the calculation of exceedance
frequencies.”,Proceeding 10th International Probabilistic Safety Assessment & Management
Conference, PSAM10 (2010).
 Ibáñez, L., et al “Damage Domain Approach as a Strategy of Damage Exceedance Computation”,
Proc. Int. Conf. Nuclear Energy for New Europe (NENE), Portoroz, Slovenia (2010).
 Ibáñez, C., Rauzy, A., Meléndez, E., Nieto, F. "Minimal cutsets-based reduction approach for the
use of binary decision diagrams on probabilistic safety assessment fault tree models", Proceedings
of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability. Vol. 223, pp.
 Izquierdo, J.M. et al. “SCAIS (Simulation Code System for Integrated Safety Assessment): Current
status and applications.”, Proc. ESREL 08, Valencia, Spain (2008).
 Izquierdo, J.M. et al. "TSD, a SCAIS suitable variant of the SDTPD", Proc. ESREL 2008,
Valencia, Spain (2008).
 J.M. Izquierdo et al. "Status of the Integrated Safety Assessment Methodology and its
Applications", Proc. Nuclear Energy for New Europe, Portorož, Slovenia (2008).
 Sancaktar, S., Schultz, T., “Risk Informed PRA Success Criteria. Application to AP1000.”;
ICAPP'04: 2004 international congress on advances in nuclear power plants, Pittsburgh, PA
(United States), 13-17 Jun (2004).
 MAAP User’s group “MAAP4, Modular Accident Analysis program for LWR Power plants.”,
Computer Code User’s Manual (1994).